function login($username, $passwd, &$errors, $strike = true)
{
global $ost, $cfg;
if ($_SESSION['_staff']['laststrike']) {
if (time() - $_SESSION['_staff']['laststrike'] < $cfg->getStaffLoginTimeout()) {
$errors['err'] = 'Max. failed login attempts reached';
$_SESSION['_staff']['laststrike'] = time();
//reset timer.
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_staff']['laststrike'] = null;
$_SESSION['_staff']['strikes'] = 0;
}
}
if (!$username || !$passwd || is_numeric($username)) {
$errors['err'] = 'Username and password required';
}
if ($errors) {
return false;
}
if (($user = new StaffSession(trim($username))) && $user->getId() && $user->check_passwd($passwd)) {
self::_do_login($user, $username);
Signal::send('auth.login.succeeded', $user);
$user->cancelResetTokens();
return $user;
}
$info = array('username' => $username, 'password' => $passwd);
Signal::send('auth.login.failed', null, $info);
//If we get to this point we know the login failed.
$_SESSION['_staff']['strikes'] += 1;
if (!$errors && $_SESSION['_staff']['strikes'] > $cfg->getStaffMaxLogins()) {
$errors['err'] = 'Forgot your login info? Contact Admin.';
$_SESSION['_staff']['laststrike'] = time();
$alert = 'Excessive login attempts by a staff member?' . "\n" . 'Username: '******'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_staff']['strikes'] . "\n" . 'Timeout: ' . $cfg->getStaffLoginTimeout() / 60 . " minutes \n\n";
$ost->logWarning('Excessive login attempts (' . $username . ')', $alert, $cfg->alertONLoginError());
} elseif ($_SESSION['_staff']['strikes'] % 2 == 0) {
//Log every other failed login attempt as a warning.
$alert = 'Username: '******'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_staff']['strikes'];
$ost->logWarning('Failed staff login attempt (' . $username . ')', $alert, false);
}
return false;
}
function authenticate($username, $password)
{
if (($user = new StaffSession($username)) && $user->getId() && $user->check_passwd($password)) {
//update last login && password reset stuff.
$sql = 'UPDATE ' . STAFF_TABLE . ' SET lastlogin=NOW() ';
if ($user->isPasswdResetDue() && !$user->isAdmin()) {
$sql .= ',change_passwd=1';
}
$sql .= ' WHERE staff_id=' . db_input($user->getId());
db_query($sql);
return $user;
}
}
// Check version
$errors['err'] = ' Nothing to do! System already upgraded';
$inc = 'upgradedone.inc.php';
} elseif ($_SESSION['abort']) {
// Check if already aborted
die('Upgrade already aborted! Restore previous version and start all over again (logout required) or get help.');
} elseif ((double) phpversion() < 5.1) {
// Too old PHP installation
$errors['err'] = 'PHP installation seriously out of date. PHP 5.2+ is required.';
$wrninc = 'php.inc.php';
} elseif (!ini_get('short_open_tag') && (double) phpversion() < 5.4) {
// Check PHP version
$errors['err'] = 'Short open tag disabled! - with PHP version prior to 5.4 Katak Support requires it turned on.';
$wrninc = 'shortopentag.inc.php';
} elseif ($_POST && !$errors) {
if ($adminloggedin || ($thisuser = new StaffSession($_POST['username'])) && $thisuser->getId() && $thisuser->check_passwd($_POST['password'])) {
switch ($cfg->getVersion()) {
case '0.9':
//upgrading from ver. 0.9.x.
$schema = './inc/ktk-upgrade-0.9.sql';
break;
case '1.0':
//upgrading from ver. 1.0.x.
$schema = './inc/ktk-upgrade-1.0.sql';
break;
default:
$schema = '';
// This leads to an error in loading the schema
}
$vars = $errors = array();
if (!load_sql_schema($schema, $errors) && !$errors['err']) {
$msg = $msg ? $msg : 'Se Requiere Autenticación';
if ($_POST && (!empty($_POST['username']) && !empty($_POST['passwd']))) {
//$_SESSION['_staff']=array(); #Uncomment to disable login strikes.
$msg = 'Datos Incorrectos';
if ($_SESSION['_staff']['laststrike']) {
if (time() - $_SESSION['_staff']['laststrike'] < $cfg->getStaffLoginTimeout()) {
$msg = 'Excesivos intentos fallidos de inicio de sesión';
$errors['err'] = 'Has llegado al máximo de intentos de conexión fallidos.';
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_staff']['laststrike'] = null;
$_SESSION['_staff']['strikes'] = 0;
}
}
if (!$errors && ($user = new StaffSession($_POST['username'])) && $user->getId() && $user->check_passwd($_POST['passwd'])) {
//update last login.
db_query('UPDATE ' . STAFF_TABLE . ' SET lastlogin=NOW() WHERE staff_id=' . db_input($user->getId()));
//Figure out where the user is headed - destination!
$dest = $_SESSION['_staff']['auth']['dest'];
//Now set session crap and lets roll baby!
$_SESSION['_staff'] = array();
//clear.
$_SESSION['_staff']['userID'] = $_POST['username'];
$user->refreshSession();
//set the hash.
$_SESSION['TZ_OFFSET'] = $user->getTZoffset();
$_SESSION['daylight'] = $user->observeDaylight();
Sys::log(LOG_DEBUG, 'Inicio de sesión de Staff', sprintf("%s Identificado como [%s]", $user->getUserName(), $_SERVER['REMOTE_ADDR']));
//Debug.
//Redirect to the original destination. (make sure it is not redirecting to login page.)
function login($username, $passwd, &$errors, $strike = true)
{
global $ost, $cfg;
if ($_SESSION['_staff']['laststrike']) {
if (time() - $_SESSION['_staff']['laststrike'] < $cfg->getStaffLoginTimeout()) {
$errors['err'] = 'You\'ve reached maximum failed login attempts allowed.';
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_staff']['laststrike'] = null;
$_SESSION['_staff']['strikes'] = 0;
}
}
if (!$errors && ($user = new StaffSession($username)) && $user->getId() && $user->check_passwd($passwd)) {
//update last login && password reset stuff.
$sql = 'UPDATE ' . STAFF_TABLE . ' SET lastlogin=NOW() ';
if ($user->isPasswdResetDue() && !$user->isAdmin()) {
$sql .= ',change_passwd=1';
}
$sql .= ' WHERE staff_id=' . db_input($user->getId());
db_query($sql);
//Now set session crap and lets roll baby!
$_SESSION['_staff'] = array();
//clear.
$_SESSION['_staff']['userID'] = $username;
$user->refreshSession();
//set the hash.
$_SESSION['TZ_OFFSET'] = $user->getTZoffset();
$_SESSION['TZ_DST'] = $user->observeDaylight();
$ost->logDebug('Staff login', sprintf("%s logged in [%s]", $user->getUserName(), $_SERVER['REMOTE_ADDR']));
//Debug.
$sid = session_id();
//Current ID
session_regenerate_id(TRUE);
//Destroy old session ID - needed for PHP version < 5.1.0 TODO: remove when we move to php 5.3 as min. requirement.
if (($session = $ost->getSession()) && is_object($session) && $sid) {
$session->destroy($sid);
}
session_write_close();
return $user;
}
//If we get to this point we know the login failed.
$_SESSION['_staff']['strikes'] += 1;
if (!$errors && $_SESSION['_staff']['strikes'] > $cfg->getStaffMaxLogins()) {
$errors['err'] = 'Forgot your login info? Contact Admin.';
$_SESSION['_staff']['laststrike'] = time();
$alert = 'Excessive login attempts by a staff member?' . "\n" . 'Username: '******'username'] . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_staff']['strikes'] . "\n" . 'Timeout: ' . $cfg->getStaffLoginTimeout() / 60 . " minutes \n\n";
$ost->logWarning('Excessive login attempts (' . $_POST['username'] . ')', $alert, $cfg->alertONLoginError());
} elseif ($_SESSION['_staff']['strikes'] % 2 == 0) {
//Log every other failed login attempt as a warning.
$alert = 'Username: '******'username'] . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_staff']['strikes'];
$ost->logWarning('Failed staff login attempt (' . $_POST['username'] . ')', $alert, false);
}
return false;
}
